/// <summary>
/// Generates an instruction that will be used to encrypt an object
/// using materials with the KMSKeyID set.
/// </summary>
/// <param name="kmsClient">
/// Used to call KMS to generate a data key.
/// </param>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt data.
/// </param>
/// <returns>
/// The instruction that will be used to encrypt an object.
/// </returns>
internal static async System.Threading.Tasks.Task <EncryptionInstructions> GenerateInstructionsForKMSMaterialsAsync(
IAmazonKeyManagementService kmsClient, EncryptionMaterials materials)
{
if (materials.KMSKeyID == null)
{
throw new ArgumentNullException(nameof(materials.KMSKeyID), KmsKeyIdNullMessage);
}
var iv = new byte[IVLength];
// Generate IV, and get both the key and the encrypted key from KMS.
RandomNumberGenerator.Create().GetBytes(iv);
var generateDataKeyResult = await kmsClient.GenerateDataKeyAsync(materials.KMSKeyID, materials.MaterialsDescription, KMSKeySpec).ConfigureAwait(false);
return(new EncryptionInstructions(materials.MaterialsDescription, generateDataKeyResult.KeyPlaintext, generateDataKeyResult.KeyCiphertext, iv,
XAmzWrapAlgKmsValue, XAmzAesCbcPaddingCekAlgValue));
}
///<inheritdoc/>
public AmazonS3EncryptionClient(string awsAccessKeyId, string awsSecretAccessKey, string awsSessionToken, RegionEndpoint region, EncryptionMaterials materials)
: base(awsAccessKeyId, awsSecretAccessKey, awsSessionToken, region, materials)
{
S3CryptoConfig = new AmazonS3CryptoConfiguration();
}
///<inheritdoc/>
public AmazonS3EncryptionClient(string awsAccessKeyId, string awsSecretAccessKey, AmazonS3CryptoConfiguration config, EncryptionMaterials materials)
: base(awsAccessKeyId, awsSecretAccessKey, config, materials)
{
}
///<inheritdoc/>
public AmazonS3EncryptionClient(AWSCredentials credentials, AmazonS3CryptoConfiguration config, EncryptionMaterials materials)
: base(credentials, config, materials)
{
}
///<inheritdoc/>
public AmazonS3EncryptionClient(AWSCredentials credentials, RegionEndpoint region, EncryptionMaterials materials)
: base(credentials, region, materials)
{
S3CryptoConfig = new AmazonS3CryptoConfiguration();
}
///<inheritdoc/>
public AmazonS3EncryptionClient(AmazonS3CryptoConfiguration config, EncryptionMaterials materials)
: base(config, materials)
{
}
///<inheritdoc/>
public AmazonS3EncryptionClient(RegionEndpoint region, EncryptionMaterials materials)
: base(region, materials)
{
S3CryptoConfig = new AmazonS3CryptoConfiguration();
}
///<inheritdoc/>
public AmazonS3EncryptionClient(EncryptionMaterials materials) : base(materials)
{
S3CryptoConfig = new AmazonS3CryptoConfiguration();
}
/// <summary>
/// Build encryption instructions for UploadPartEncryptionContext
/// </summary>
/// <param name="context">UploadPartEncryptionContext which contains instructions used for encrypting multipart object</param>
/// <param name="encryptionMaterials">EncryptionMaterials which contains material used for encrypting multipart object</param>
/// <returns></returns>
internal static EncryptionInstructions BuildEncryptionInstructionsForInstructionFile(UploadPartEncryptionContext context, EncryptionMaterials encryptionMaterials)
{
var instructions = new EncryptionInstructions(encryptionMaterials.MaterialsDescription, context.EnvelopeKey, context.EncryptedEnvelopeKey, context.FirstIV);
return(instructions);
}
/// <summary>
/// Builds an instruction object from the instruction file.
/// </summary>
/// <param name="response"> Instruction file GetObject response</param>
/// <param name="materials">
/// The non-null encryption materials to be used to encrypt and decrypt Envelope key.
/// </param>
/// <param name="decryptNonKmsEnvelopeKey">Func to be used to decrypt non KMS envelope key</param>
/// <returns>
/// A non-null instruction object containing encryption information.
/// </returns>
internal static EncryptionInstructions BuildInstructionsUsingInstructionFile(GetObjectResponse response, EncryptionMaterials materials,
Func <byte[], EncryptionMaterials, byte[]> decryptNonKmsEnvelopeKey)
{
using (TextReader textReader = new StreamReader(response.ResponseStream))
{
JsonData jsonData = JsonMapper.ToObject(textReader);
var base64EncodedEncryptedEnvelopeKey = jsonData["EncryptedEnvelopeKey"];
byte[] encryptedEnvelopeKey = Convert.FromBase64String((string)base64EncodedEncryptedEnvelopeKey);
byte[] decryptedEnvelopeKey = decryptNonKmsEnvelopeKey(encryptedEnvelopeKey, materials);
var base64EncodedIV = jsonData["IV"];
byte[] IV = Convert.FromBase64String((string)base64EncodedIV);
return(new EncryptionInstructions(materials.MaterialsDescription, decryptedEnvelopeKey, IV));
}
}
/// <summary>
/// Generates an instruction that will be used to encrypt an object
/// using materials with the AsymmetricProvider or SymmetricProvider set.
/// </summary>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt data.
/// </param>
/// <returns>
/// The instruction that will be used to encrypt an object.
/// </returns>
internal static EncryptionInstructions GenerateInstructionsForNonKMSMaterials(EncryptionMaterials materials)
{
byte[] encryptedEnvelopeKey = null;
// Generate the IV and key, and encrypt the key locally.
Aes aesObject = Aes.Create();
if (materials.AsymmetricProvider != null)
{
encryptedEnvelopeKey = EncryptEnvelopeKeyUsingAsymmetricKeyPair(materials.AsymmetricProvider, aesObject.Key);
}
else if (materials.SymmetricProvider != null)
{
encryptedEnvelopeKey = EncryptEnvelopeKeyUsingSymmetricKey(materials.SymmetricProvider, aesObject.Key);
}
else
{
throw new ArgumentException("Error generating encryption instructions. " +
"EncryptionMaterials must have the AsymmetricProvider or SymmetricProvider set.");
}
return(new EncryptionInstructions(materials.MaterialsDescription, aesObject.Key, encryptedEnvelopeKey, aesObject.IV, XAmzAesCbcPaddingCekAlgValue));
}
